Reconstructing TCP
Sessions

This tool
allows you to view the TCP conversation between two hosts. To
reconstruct a TCP session, you should first select a TCP packet on
the
Packetstab.Depending on
the settings (theSearch
for the session start when reconstructing TCP sessionsbox inSettings=>Options
=> Decoding), the session will be
reconstructed from the selected packet that may be in the middle of
the "conversation" or from the session start.If you
want to reconstruct the entire session, it is recommended that you
select the first packet in the session; otherwise, the
reconstruction may start in the middle of the "conversation". After
you locate and select the packet, right-click on it and
select
Reconstruct TCP Sessionfrom the
pop-up menu as shown below:

Reconstructing
sessions works best for text-based protocols, such as POP3, Telnet,
or HTTP. Of course, you can also reconstruct a download of a large
zipped file, but it can take CommView a long time to reconstruct
several megabytes of data, and the obtained information would be
useless in most of the cases. TheContentstab displays
the actual session data, while theSession
Analysistab graphically displays
the flow of the reconstructed TCP session. A sample HTTP session
that contains HTML data displayed in ASCII and HTML modes is shown
below:

In HTML
display mode, HTML pages never include inline graphics, because in
HTTP protocol images are transferred separately from HTML data. To
view the images, usually it is necessary to navigate to the next
TCP session. A sample HTTP session that contains image data
displayed in HTML mode is shown below:

By default,
CommView attempts to decompress GZIP'd web content and reconstruct
images from binary streams. If you want to turn off this
functionality, use theDecodingtab of the
program'sOptionsdialog.

You can filter
out the data that came from one of the directions by unchecking one
of the check boxes on the bottom pane. Incoming and outgoing data
are marked by different colors for your convenience. If you want to
change one of the colors, clickSettings=>Colorsand pick a
different color. You can enable or disable word wrapping using
theWord
Wrapitem in theSettingsmenu.

TheDisplay
typedrop-down list allows you
to view data in theASCII(plain-text
data),HEX(hexadecimal
data),HTML(web pages and
images),EBCDIC(IBM
mainframes' data encoding), andUTF-8(Unicode data)
formats. Please note that viewing data as HTML does not necessarily
produce exactly the same result as the one you can see in the web
browser (e.g. you will not be able to see inline graphics);
however, it should give you a good idea of what the original page
looked like.

You can choose
the default display type for the TCP Session Reconstruction window
in theDecodingtab of the
program'sOptionsdialog.

TheNavigationbuttons allow
you to search the buffer for the next or previous TCP session. The
first forward button (>>) will search for the next session
between those two hosts that were involved in the first
reconstructed session. The second forward button (>>>)
will search for the next session between any two hosts. If you have
multiple TCP sessions between the two hosts in the buffer and you'd
like to see them all one by one, it is recommended to start the
reconstruction from the first session, as the back button
(<<)
cannot navigate beyond the TCP session that was reconstructed
first.

The obtained
data can be saved as binary data, HTML, text, or rich text file by
clickingFile=>Save
As… .
When saving in text format, the resulting file is a Unicode UTF-16
file. When saving in HTML format, the encoding of the resulting
file depends on the currently selectedDisplay
type.
If HTML is currently selected, the resulting file is an ANSI text
file; for all other display types the resulting file is a Unicode
UTF-16 file. Note that if you're saving an HTTP session with
images, the images in the saved HTML file are stored in the
temporary location on your hard drive, so if you want to preserve
them, open the saved file in your browser and re-save the file in a
format that includes images, such as MHT, before closing
CommView.

You can search
for a string in the session by clickingEdit
=> Find… .

Session Analysis

The Session
Analysis tab of the TCP Session window graphically displays the
reconstructed TCP session. You can see the session data flow,
errors, delays, and retransmissions of lost data.

The following
data is displayed for every session packet:

·

TCP flags.

·

Absolute and relative SEQ
and ACK values.

·

Packet arrival
time.

·

Delta time between the
current and previous packet.

·

Packet number in the
reconstructed session.

If a packet
contains errors, the nature of the error is explained. It appears
as a text description along the right edge of the graph. When you
move the mouse over a packet, its contents are displayed in a hint
window if the packet contains any data. Note that theDisplay
typefield affects the way the
data is decoded in the hint window. A sample session analysis
window is shown below:

The right pane
shows some basic statistics for the given session:

Connection
Time -the time it took to
establish the TCP connection. In other words, it's the three-way
TCP handshake time (SYN => SYN ACK => ACK).

Server
Response Time -the time elapsed between
the initial client request and the server's first data
response.

Data
Transfer Time -the time between the
server's first and final data responses (0 if there was only one
server response).

You can save
the graphic layout of the reconstructed TCP session as a BMP, GIF,
or PNG file by right clicking on the layout and selecting
theSave
Image As…menu item of the context
menu. Sessions with a large number of packets will be split into
multiple files.